Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
Henrik, Thanks for reply, can you please provide me the rule which I have to add at (NAT:s). Regards, Kirtimaan Henrik Nordstrom wrote: On tor, 2008-06-05 at 11:37 +0530, Kirtimaan wrote: On squid box, there is a utility Guarddog used for port forwarding. So it forward all traffic on port 80 to Squid port 3128. I'd say your problem is here. You have port forwarded port 80 on the server itself to port 3128 on the server itself. Same as configuring Squid to listen on port 80 directly. What you need is a rule which intercepts (NAT:s)any outgoing traffic to port 80 on servers out on the Internet and redirect these to Squid. This is different from port 80 on the server itself. Regards Henrik
Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
Protocol: TCP Source IP: LAN Source port: ANY Destination IP: ANY Destination port: 80 Action: DNAT to serverip:port, or alternatively REDIRECT to porxy port You can find iptables rule templates in the Squid FAQ. I can not help you with the GUI tool you are using as I have never seen it or used it, and from what I have read Guarddog DOES NOT support NAT or even port forwarding. Regards Henrik On fre, 2008-06-06 at 11:42 +0530, Kirtimaan wrote: Henrik, Thanks for reply, can you please provide me the rule which I have to add at (NAT:s). Regards, Kirtimaan Henrik Nordstrom wrote: On tor, 2008-06-05 at 11:37 +0530, Kirtimaan wrote: On squid box, there is a utility Guarddog used for port forwarding. So it forward all traffic on port 80 to Squid port 3128. I'd say your problem is here. You have port forwarded port 80 on the server itself to port 3128 on the server itself. Same as configuring Squid to listen on port 80 directly. What you need is a rule which intercepts (NAT:s)any outgoing traffic to port 80 on servers out on the Internet and redirect these to Squid. This is different from port 80 on the server itself. Regards Henrik
Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
Henrik, Thanks for details. I will try these and reply with results. Regards, Kirtimaan Henrik Nordstrom wrote: Protocol: TCP Source IP: LAN Source port: ANY Destination IP: ANY Destination port: 80 Action: DNAT to serverip:port, or alternatively REDIRECT to porxy port You can find iptables rule templates in the Squid FAQ. I can not help you with the GUI tool you are using as I have never seen it or used it, and from what I have read Guarddog DOES NOT support NAT or even port forwarding. Regards Henrik On fre, 2008-06-06 at 11:42 +0530, Kirtimaan wrote: Henrik, Thanks for reply, can you please provide me the rule which I have to add at (NAT:s). Regards, Kirtimaan Henrik Nordstrom wrote: On tor, 2008-06-05 at 11:37 +0530, Kirtimaan wrote: On squid box, there is a utility Guarddog used for port forwarding. So it forward all traffic on port 80 to Squid port 3128. I'd say your problem is here. You have port forwarded port 80 on the server itself to port 3128 on the server itself. Same as configuring Squid to listen on port 80 directly. What you need is a rule which intercepts (NAT:s)any outgoing traffic to port 80 on servers out on the Internet and redirect these to Squid. This is different from port 80 on the server itself. Regards Henrik
Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
On squid box, there is a utility Guarddog used for port forwarding. So it forward all traffic on port 80 to Squid port 3128. I'd say your problem is here. You have port forwarded port 80 on the server itself to port 3128 on the server itself. Same as configuring Squid to listen on port 80 directly. I think Henrik is right. Pls do not uer suc a GUI tool. pls input iptables command by hand. What you need is a rule which intercepts (NAT:s)any outgoing traffic to port 80 on servers out on the Internet and redirect these to Squid. This is different from port 80 on the server itself. Pls try below rules. #on the squidbox, Open squidport (3218) for LAN ips iptables -A INPUT -i eth0 -d ipofsquidbox -p tcp -s ipofLANs/24 --dport 3128 -j ACCEPT #Redirecting traffic destined to port 80 to port 3128 iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 3128 Hope to hear from you. Happy squiding -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
Hello, There is one Eth in Squid Box. There is a DSL Router with IP 192.168.1.165 Squid box is configured to access internet and DNS service using this IP. There are 4 windows XP systems connected to same network and they use Squid box IP as their gateway and DNS server address. so it is like WINDOW CLIENTS = SQUID BOX = DSL ROUTER. On squid box, there is a utility Guarddog used for port forwarding. So it forward all traffic on port 80 to Squid port 3128. Squid box also have apache webserver, but that is configured on port 8080. So if any one in network have to use intranet, we have to use like http://squidbox:8080. When squid is running and we try to access it like http://squidbox it shows a page --- * Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. - So it looks like port forwarding is working proper as port 80. In squid conf, we have -- http_port 3128 transparent -- Thanks, Kirtimaan Indunil Jayasooriya wrote: To my surprise, I can use internet even when squid service is Thanks, Kirtimaan Amos Jeffries wrote: down. So now it means that squid is not configured properly ? How I can verify this, please guide. Could you pls draw your network diagram? How many ethernet does squid box have? Hope to hear from you.
Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
On Thu, Jun 5, 2008 at 11:37 AM, Kirtimaan [EMAIL PROTECTED] wrote: Hello, There is one Eth in Squid Box. There is a DSL Router with IP 192.168.1.165 Squid box is configured to access internet and DNS service using this IP. There are 4 windows XP systems connected to same network and they use Squid box IP as their gateway and DNS server address. so it is like WINDOW CLIENTS = SQUID BOX = DSL ROUTER. On squid box, there is a utility Guarddog used for port forwarding. So it forward all traffic on port 80 to Squid port 3128. Squid box also have apache webserver, but that is configured on port 8080. So if any one in network have to use intranet, we have to use like http://squidbox:8080. When squid is running and we try to access it like http://squidbox it shows a page --- * Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. have you added ACL in squid.conf something like this. acl our_networks src 192.168.1.0/24 http_access allow our_networks Pls try it out -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
Kirtimaan wrote: Hello, There is one Eth in Squid Box. There is a DSL Router with IP 192.168.1.165 Squid box is configured to access internet and DNS service using this IP. There are 4 windows XP systems connected to same network and they use Squid box IP as their gateway and DNS server address. so it is like WINDOW CLIENTS = SQUID BOX = DSL ROUTER. On squid box, there is a utility Guarddog used for port forwarding. So it forward all traffic on port 80 to Squid port 3128. Um, I think for the evidence you have so far given that appears to be not quite the case. So far you have shown that: - traffic directed at squidbox:80 = squidbox:3128 - traffic directed at random_ip:80 = random_ip:80 It looks to me like 'port forwarding' as done by Guarddog only affects traffic within the _internal_ side of the box. Not the _routing_ side of the box. Squid box also have apache webserver, but that is configured on port 8080. So if any one in network have to use intranet, we have to use like http://squidbox:8080. When squid is running and we try to access it like http://squidbox it shows a page --- * Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. - So it looks like port forwarding is working proper as port 80. In squid conf, we have -- http_port 3128 transparent -- Thanks, Kirtimaan Indunil Jayasooriya wrote: To my surprise, I can use internet even when squid service is Thanks, Kirtimaan Amos Jeffries wrote: down. So now it means that squid is not configured properly ? How I can verify this, please guide. Could you pls draw your network diagram? How many ethernet does squid box have? Hope to hear from you. -- Please use Squid 2.7.STABLE1 or 3.0.STABLE6
Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
On tor, 2008-06-05 at 11:37 +0530, Kirtimaan wrote: On squid box, there is a utility Guarddog used for port forwarding. So it forward all traffic on port 80 to Squid port 3128. I'd say your problem is here. You have port forwarded port 80 on the server itself to port 3128 on the server itself. Same as configuring Squid to listen on port 80 directly. What you need is a rule which intercepts (NAT:s)any outgoing traffic to port 80 on servers out on the Internet and redirect these to Squid. This is different from port 80 on the server itself. Regards Henrik
Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
Kirtimaan wrote: Hello Amos, Thanks for reply. How I can check if any log restriction is applied or not ? The options I mentioned will have ACL on them in your squid.conf. I don't face any problem accessing internet using system as a gateway and DNS while SQUID is running. Does it stop working when Squid not running? Amos Thanks. Amos Jeffries wrote: Kirtimaan wrote: Hello, I have Squid 2.6 STABLE 16, installed on a fedora core 7 box. This is a transparent proxy and all other window system on network use fedora box IP as gateway and DNS server. There is only one ACL defined and that is ALLOW all as there is no need to block access. Though, there should be logging of sites accessed by users in network along with their IP address. I checked access.log file and it shows only entries like * 1212550126.877 2 192.168.1.4 TCP_DENIED/403 1391 GET http://fedbox/favicon.ico - NONE/- text/html * where mglcl is the host name of the fedora box. It doesn't log the access to out side websites. If there is any configuration setting which can be turn on to start logging access of sites by user? log_access and access_log options both accept ACL. By default every request is logged. If you have not configured a log restriction then your interception(transparent) is failing. Amos -- Please use Squid 2.7.STABLE1 or 3.0.STABLE6
Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
Hello Amos, Does it stop working when Squid not running? To my surprise, I can use internet even when squid service is down. So now it means that squid is not configured properly ? How I can verify this, please guide. Thanks, Kirtimaan Amos Jeffries wrote: Kirtimaan wrote: Hello Amos, Thanks for reply. How I can check if any log restriction is applied or not ? The options I mentioned will have ACL on them in your squid.conf. I don't face any problem accessing internet using system as a gateway and DNS while SQUID is running. Does it stop working when Squid not running? Amos Thanks. Amos Jeffries wrote: Kirtimaan wrote: Hello, I have Squid 2.6 STABLE 16, installed on a fedora core 7 box. This is a transparent proxy and all other window system on network use fedora box IP as gateway and DNS server. There is only one ACL defined and that is ALLOW all as there is no need to block access. Though, there should be logging of sites accessed by users in network along with their IP address. I checked access.log file and it shows only entries like * 1212550126.877 2 192.168.1.4 TCP_DENIED/403 1391 GET http://fedbox/favicon.ico - NONE/- text/html * where mglcl is the host name of the fedora box. It doesn't log the access to out side websites. If there is any configuration setting which can be turn on to start logging access of sites by user? log_access and access_log options both accept ACL. By default every request is logged. If you have not configured a log restriction then your interception(transparent) is failing. Amos
Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
Kirtimaan wrote: Hello Amos, Does it stop working when Squid not running? To my surprise, I can use internet even when squid service is down. So now it means that squid is not configured properly ? How I can verify this, please guide. You have already verified. It's definitely an interception problem outside of Squid. How its solved will depend on your systems. Was it WCCP, iptables (REDIRECT), transparent policy routing, other firewall interception? I don't have a lot of time this week but I'll see what I can do. With the answer to the above question, locate the Squid wiki FAQ entries for your interception/transparency type and check that your config matches. http://wiki.squid-cache.org/SquidFaq/ Amos Thanks, Kirtimaan Amos Jeffries wrote: Kirtimaan wrote: Hello Amos, Thanks for reply. How I can check if any log restriction is applied or not ? The options I mentioned will have ACL on them in your squid.conf. I don't face any problem accessing internet using system as a gateway and DNS while SQUID is running. Does it stop working when Squid not running? Amos Thanks. Amos Jeffries wrote: Kirtimaan wrote: Hello, I have Squid 2.6 STABLE 16, installed on a fedora core 7 box. This is a transparent proxy and all other window system on network use fedora box IP as gateway and DNS server. There is only one ACL defined and that is ALLOW all as there is no need to block access. Though, there should be logging of sites accessed by users in network along with their IP address. I checked access.log file and it shows only entries like * 1212550126.877 2 192.168.1.4 TCP_DENIED/403 1391 GET http://fedbox/favicon.ico - NONE/- text/html * where mglcl is the host name of the fedora box. It doesn't log the access to out side websites. If there is any configuration setting which can be turn on to start logging access of sites by user? log_access and access_log options both accept ACL. By default every request is logged. If you have not configured a log restriction then your interception(transparent) is failing. Amos -- Please use Squid 2.7.STABLE1 or 3.0.STABLE6
Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
To my surprise, I can use internet even when squid service is Thanks, Kirtimaan Amos Jeffries wrote: down. So now it means that squid is not configured properly ? How I can verify this, please guide. Could you pls draw your network diagram? How many ethernet does squid box have? Hope to hear from you. -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
Kirtimaan wrote: Hello, I have Squid 2.6 STABLE 16, installed on a fedora core 7 box. This is a transparent proxy and all other window system on network use fedora box IP as gateway and DNS server. There is only one ACL defined and that is ALLOW all as there is no need to block access. Though, there should be logging of sites accessed by users in network along with their IP address. I checked access.log file and it shows only entries like * 1212550126.877 2 192.168.1.4 TCP_DENIED/403 1391 GET http://fedbox/favicon.ico - NONE/- text/html * where mglcl is the host name of the fedora box. It doesn't log the access to out side websites. If there is any configuration setting which can be turn on to start logging access of sites by user? log_access and access_log options both accept ACL. By default every request is logged. If you have not configured a log restriction then your interception(transparent) is failing. Amos -- Please use Squid 2.7.STABLE1 or 3.0.STABLE6
Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
Hello Amos, Thanks for reply. How I can check if any log restriction is applied or not ? I don't face any problem accessing internet using system as a gateway and DNS while SQUID is running. Thanks. Amos Jeffries wrote: Kirtimaan wrote: Hello, I have Squid 2.6 STABLE 16, installed on a fedora core 7 box. This is a transparent proxy and all other window system on network use fedora box IP as gateway and DNS server. There is only one ACL defined and that is ALLOW all as there is no need to block access. Though, there should be logging of sites accessed by users in network along with their IP address. I checked access.log file and it shows only entries like * 1212550126.877 2 192.168.1.4 TCP_DENIED/403 1391 GET http://fedbox/favicon.ico - NONE/- text/html * where mglcl is the host name of the fedora box. It doesn't log the access to out side websites. If there is any configuration setting which can be turn on to start logging access of sites by user? log_access and access_log options both accept ACL. By default every request is logged. If you have not configured a log restriction then your interception(transparent) is failing. Amos